Biz & IT —

Fighting Storm with smog: researchers pollute botnet

Nine out of ten Americans agree that botnets suck, but isolating and …

One of the fun little facts that has made Storm, and other botnets like it, so much fun to fence with is the fact that Storm lacks a centralized command and control server. By diffusing Storm's C&C capability through the botnet, the worm's creators made it that much harder to nullify. Researchers from the University of Mannheim and the Institut Eurecom have been experimenting with P2P botnets that lack centralized control, and have discovered a way to attack such creations from within. As an added bonus, attacking the worm in this manner allows researchers to measure the number of infected systems much more accurately than they can with other, more conventional, techniques.

The research team reverse-infiltrated Storm by deliberately allowing the botnet to infect a series of honeypots. Once infected, the honeypots become launch points for the researcher's own payload. Along the way, the team was able to estimate the number of infected systems by actively tracking P2P activity rather than passively observing the total amount of spam flowing out of a single botnet.

The research team's paper (PDF) goes into considerable detail and gives specific information on how the team analyzed, monitored, and penetrated Storm's structure. Their own counter-attack, however, is elegant in its simplicity. By publishing their own set of false commands at the appropriate time, the group was able to prevent the "legitimate" commands from being received.

Being able to prevent the Storm botnet from actually carrying out its own updates is impressive, but the real strength of this research lies in its proof that botnets have weaknesses of their own that security firms can potentially exploit. At the moment, this type of attack strategy isn't a viable solution—it took the team from Mannheim and Eurecom months to fully infiltrate, explore, and develop their counterattack—but practice, as they say, makes perfect. Future botnet infiltrations could proceed much faster once a framework for launching such counterattacks is properly in place.